virus logo PSIRT

Information disclosure in content hub

Summary

An improper removal of sensitive information before storage or transfer vulnerability [CWE-212] in FortiSOAR may allow an authenticated low privileged user to read Connector passwords in plain-text via HTTP responses.

Version Affected Solution
FortiSOAR on-premise 7.5 Not affected Not Applicable
FortiSOAR on-premise 7.4 Not affected Not Applicable
FortiSOAR on-premise 7.3 7.3.0 Upgrade to 7.3.1 or above
FortiSOAR on-premise 7.2 7.2 all versions Migrate to a fixed release
FortiSOAR on-premise 7.0 7.0 all versions Migrate to a fixed release
FortiSOAR on-premise 6.4 Not affected Not Applicable

Acknowledgement

Fortinet is pleased to thank James Cato from New Zealand Police for reporting this vulnerability under responsible disclosure.

Timeline

2024-05-14: Initial publication
IR Number FG-IR-24-052
Published Date May 14, 2024
Severity Medium
CVSSv3 Score 6.0
Impact Information disclosure
CVE ID
Download

CVRF

CSAF